CN105468295B - A kind of security protection access method and system for realizing object storage - Google Patents
A kind of security protection access method and system for realizing object storage Download PDFInfo
- Publication number
- CN105468295B CN105468295B CN201510781188.2A CN201510781188A CN105468295B CN 105468295 B CN105468295 B CN 105468295B CN 201510781188 A CN201510781188 A CN 201510781188A CN 105468295 B CN105468295 B CN 105468295B
- Authority
- CN
- China
- Prior art keywords
- client
- certificate
- access
- meta data
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/0614—Improving the reliability of storage systems
- G06F3/0617—Improving the reliability of storage systems in relation to availability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/067—Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Human Computer Interaction (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of security protection access method for realizing object storage, comprising: client obtains access certificate from certificate server, and itself and access request are sent at least three meta data servers together;After meta data server checks the validity of access certificate and access request, processing is carried out according to access request type and returns to corresponding metadata information to client;After client receives metadata information, to object storage device request data, object storage device can verify client after receiving request, and client can be sent the data to after.Correspondingly the present invention also provides a kind of security protections for realizing object storage to access system.The meta data server that the present invention passes through the multiple and different systems of setting, it is diversified simultaneously in the system of realization, the safety for enhancing system reliability and data storage access enhances the security performance of data access additionally by the certificate server of setting to client certificate.
Description
Technical field
The present invention relates to computer fields, and in particular to a kind of security protection access method and be for realizing that object stores
System.
Background technique
With the universal and rapid development of Internet and network application, increasingly increased number of users, data distribution
Regional space is more wide, data storage capacity explosive increase, and higher and higher data reliability requires and access data
Device category is increasing, proposes test to data-storage system and data safety.
The tremendous expansion of computer and network technologies has pushed being constantly progressive for file system perfect.It is deposited using distribution
The big data for the generation that storage (such as SAN and NAS) can be stored effectively.In face of mass data, to also having for the processing capacities of data
High requirement, an efficient file system can bring apparent performance boost.
Parallel file system (provides the NAS of file I/O and the SAN of block I/O compared to direct for user or application server
Compared to) there is larger performance boost for the access of data.The metadata and data separating of parallel file system access, and compose a piece of writing
Part system can be extended power system capacity by increasing the quantity of I/O node under the premise of not influencing global space management,
And by increasing meta data server to form Metadata server cluster, system can support more massive metadata management;
Parallel file system can provide the redundant storage of metadata simultaneously, it is possible to provide highly reliable service;Parallel file system is not deposited
In single point failure problem, important node and link can carry out redundancy between multiple I/O nodes with redundant configuration, significant data
Storage and automated back-up restore, and therefore, parallel file system has higher reliabilty and availability;Parallel file system simultaneously
Metadata is left concentratedly, is also beneficial to be managed collectively.
The appearance of object storage system effectively combines the advantages of NAS and SAN, not with traditional block storage and file storage
Together, data are organized as unit of object and accessed to the object storage device in object storage system, and externally providing has abundant language
The object interface of justice, is internally responsible for the internal disk space management of all objects.Due to the intelligence of object storage device, establish
Parallel file system on object storage device, i.e. object-based storage system are simpler and are easily managed, and object
The rich properties and elongated feature for being included make object storage support more complicated powerful file division function and flexible
System, the result is that object-based storage system scalability, performance, safety and in terms of have improvement.
The data and metadata of object storage system are separation storages, centrally stored due to metadata, although convenient for pipe
Reason, but when data volume increases, access request increases, in order to meet capacity and I/O bandwidth, as the key component of system, pressure
It can increase suddenly.The access technique of existing object storage device has the following deficiencies: (1) as access request increases, and object is deposited
Meta data server in storage system will appear delay machine phenomenon, and the probability of the system failure can increase with it;(2) since storage is crucial
The equipment of data is easier to become the main object of data theft, and general object storage system, and use is per family directly to first number
Metadata is obtained according to server, meta data server is directly exposed to outside, there is greater risk.
Summary of the invention
For the disadvantages described above or deficiency of the prior art, the present invention provides a kind of security protection access for realizing object storage
Method and system, wherein provide access service by setting at least three meta data servers for client, realize object and deposit
The diversification of storage system increases the reliability of system;Authentication management is carried out to client by certificate server, while to member
Data server carries out traffic monitoring, significantly improves the safety of data access.By executing the scheme in the present invention, significantly
The probability for reducing object storage system failure further ensures object storage system service quality.
To achieve the above object, the invention proposes a kind of security protection access method for realizing object storage, features
It is, which comprises
(1) client obtains access certificate from certificate server;
(2) access certificate and access request that client will acquire are sent at least three meta data servers together;
(3) it after the validity of meta data server inspection access certificate and access request, is carried out according to access request type
Processing: if access request is request of data, relevant metadata information is returned to client, executes step (5)-(6);If visiting
It asks that request is that permission operational order is requested, then after meta data server makes authorization decision, Authorization result is sent to object
Equipment is stored, is executed step (4), while returning to relevant metadata information to client, executes step (5)-(6);
(4) object storage device modifies to the permissions list locally saved;
(5) client receives the metadata information reached at first, abandons other meta data servers for being directed to same request
The metadata information of transmission;
(6) after client receives metadata information, to object storage device request data, object storage device receives request
After user can be verified, user can be sent the data to after.
As it is further preferred that the step (1) includes: firstly, client and certificate server consult session key;
After the session key encrypted certificate that certificate server is negotiated, it is sent to client, the session key docking that client is negotiated
The encrypted certificate of receipts is decrypted.
As it is further preferred that in step (3), the meta data server checks access certificate and access request
Validity specifically includes:
(3-1) checks client access certificate according to user's revocation list for locally saving, in user's revocation list
Preserve expired user or inactive users;
(3-2) carries out scope check, if permission is legal, root if access certificate is effective, to client access request
It is handled according to access request type;Otherwise, then error message is returned.
As it is further preferred that the operating system of at least three meta data servers is different.
As it is further preferred that being monitored to the meta data server turn-on flow rate, periodically to member number each in period T
It is compared according to the flow of server, if monitoring the data volume of any one meta data server than other Metadata Services
When the data volume of device is more, then judge that the meta data server in leak data, then closing the meta data server, and is
System safety inspection, reconfigures the environment of the meta data server, then restores data starting.
To achieve the above object, the present invention also provides a kind of security protections for realizing object storage to access system, including
An at least client Client, at least three meta data server MDS, certificate server TA, at least an object storage are set
Standby OSD, which is characterized in that
The client, for obtaining access certificate from certificate server, and the access certificate that will acquire and access are asked
It asks and is sent at least three meta data servers together;It is also used to receive the metadata information reached at first, abandons other yuan of number
According to the metadata information that server is sent, metadata information is to object storage device request data based on the received, and receives pair
The corresponding data returned as storage equipment;
The certificate server, for sending access certificate to client and assisting meta data server inspection access card
Book;
The meta data server, after the validity for checking access certificate and access request, according to access request class
Type is handled: if access request is request of data, returning to relevant metadata information to client;If access request is power
Operational order request is limited, then after meta data server makes authorization decision, Authorization result is sent to object storage device, together
When return to relevant metadata information to client;
The object storage device, the Authorization result sent for receiving the meta data server, and tied according to authorization
Fruit modifies to the permissions list locally saved;It is also used to carry out client after receiving the request of data that client is sent
Verifying, is sent to client for corresponding data after being verified.
As it is further preferred that the client and the certificate server consult session key;The authentication service
After the session key encrypted certificate that device is negotiated, it is sent to client, the session key that the client is negotiated is to received
Encrypted certificate is decrypted.
As it is further preferred that the meta data server, for checking the validity of access certificate and access request,
Specifically include: the meta data server checks client access certificate, the use according to the user's revocation list locally saved
Expired user or inactive users are preserved in the revocation list of family;If access certificate is effective, permission inspection is carried out to access request
It looks into, if permission is legal, is handled according to access request type;Otherwise, then error message is returned.
As it is further preferred that the operating system of at least three meta data servers is different.
As it is further preferred that being flowed the system also includes monitoring module for being opened to the meta data server
Amount monitoring, periodically compares the flow of each meta data server in period T, if monitoring any one metadata clothes
Be engaged in device data volume than other meta data servers data volume more than when, then judge the meta data server in leak data, that
The meta data server is closed, and carries out system safety inspection, the environment of the meta data server is reconfigured, then restores
Data starting.
In general, it is put above technical scheme is compared with the prior art according to the present invention, mainly has technology below
Advantage:
1, the present invention is by setting at least three meta data servers, when any one server breaks down, for
The access request service of client is unaffected, meanwhile, meta data server does not need the synchronous operation of data yet, drops significantly
The low probability of the system failure, further ensures object storage system service quality, improves the reliability of data access;
2, in addition, the present invention authenticates client by certificate server, prevent illegal user's login system from obtaining
Data;Traffic monitoring is carried out to meta data server simultaneously, is compared, discovery immediately, and executes cleaning operation, then restores
Data are reworked, and the safety of data access is significantly improved.
Detailed description of the invention
Fig. 1 is a kind of basic structure schematic diagram of security protection access system for realizing object storage
Fig. 2 is a kind of data flow schematic diagram of security protection access method for realizing object storage
Fig. 3 is a kind of flow monitoring schematic diagram of security protection access system for realizing object storage
Fig. 4 is a kind of flow monitoring flow chart of security protection access method for realizing object storage
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
The technical scheme is that realize in the following way, the physical environment and framework of system are as follows:
3 meta data server MDS are selected, the system of operation is Fedora, Centos, redhat respectively;More objects
Store equipment OSD, system Fedora;1 certificate server TA, system are redhat or Fedora;More client computer
Client, system Fedora.Storage system is OBS object storage system.Flow monitoring tool is tcpdump.It is taken in environment
After building up, three MDS are mounted to client computer.
As shown in Figure 1, the present invention provides a kind of security protections for realizing object storage to access system, including at least one
Client Client, at least three meta data server MDS, certificate server TA, at least an object storage device OSD,
It is characterized in that,
The client, for obtaining access certificate from certificate server, and the access certificate that will acquire and access are asked
It asks and is sent at least three meta data servers together;It is also used to receive the metadata information reached at first, abandons other yuan of number
According to the metadata information that server is sent, metadata information is to object storage device request data based on the received, and receives pair
The corresponding data returned as storage equipment;
The certificate server, for sending access certificate to client and assisting meta data server inspection access card
Book;
The meta data server, after the validity for checking access certificate and access request, according to access request class
Type is handled: if access request is request of data, returning to relevant metadata information to client;If access request is power
Operational order request is limited, then after meta data server makes authorization decision, Authorization result is sent to object storage device, together
When return to relevant metadata information to client;
The object storage device, the Authorization result sent for receiving the meta data server, and tied according to authorization
Fruit modifies to the permissions list locally saved;It is also used to carry out client after receiving the request of data that client is sent
Verifying, is sent to client for corresponding data after being verified.
As it is further preferred that the client and the certificate server consult session key;The authentication service
After the session key encrypted certificate that device is negotiated, it is sent to client, the session key that the client is negotiated is to received
Encrypted certificate is decrypted.
As it is further preferred that the meta data server, for checking the validity of access certificate and access request,
Specifically include: the meta data server checks client access certificate, the use according to the user's revocation list locally saved
Expired user or inactive users are preserved in the revocation list of family;If access certificate is effective, permission inspection is carried out to access request
It looks into, if permission is legal, is handled according to access request type;Otherwise, then error message is returned.
As it is further preferred that the operating system of at least three meta data servers is different.
As it is further preferred that being flowed the system also includes monitoring module for being opened to the meta data server
Amount monitoring, periodically compares the flow of each meta data server in period T, if monitoring any one metadata clothes
Be engaged in device data volume than other meta data servers data volume more than when, then judge the meta data server in leak data, that
The meta data server is closed, and carries out system safety inspection, the environment of the meta data server is reconfigured, then restores
Data starting.
The invention also provides a kind of security protection access methods for realizing object storage, which is characterized in that the method
Include:
(1) client obtains access certificate from certificate server;
User logs in client computer, inputs the user name and password;Certification request is sent to certificate server TA, TA determines user
After legal, a certificate can be sent to user, user relies on certificate to metadata server cluster request data.TA can with
Family revocation information is sent to meta data server, so that meta data server authenticates user.Wherein, client and certification
Server consult session key first;After the session key encrypted certificate that certificate server is negotiated, it is sent to client, client
Received encrypted certificate is decrypted in the session key that end is negotiated.
(2) access certificate and access request that client will acquire are sent at least three meta data servers, institute together
The operating system for stating at least three meta data servers is different;
(3) it after the validity of meta data server inspection access certificate and access request, is carried out according to access request type
Processing: if access request is request of data, relevant metadata information is returned to client, executes step (5)-(6);If visiting
It asks that request is that permission operational order is requested, then after meta data server makes authorization decision, Authorization result is sent to object
Equipment is stored, is executed step (4), while returning to relevant metadata information to client, executes step (5)-(6);
The meta data server checks the validity of access certificate and access request, specifically includes:
(3-1) checks client access certificate according to user's revocation list for locally saving, in user's revocation list
Preserve expired user or inactive users;
(3-2) carries out scope check, if permission is legal, root if access certificate is effective, to client access request
It is handled according to access request type;Otherwise, then error message is returned.User only receives that most fast meta data server of return
Data certificate and necessary security parameter are sent to object storage device OSD then by data operation commands.
(4) object storage device modifies to the permissions list locally saved;
(5) client receives the metadata information reached at first, abandons the metadata letter of other meta data servers transmission
Breath;
(6) after client receives metadata information, to object storage device request data, object storage device receives request
After user can be verified, user can be sent the data to after.
User only receives the metadata information reached at first, then joins data operation commands, certificate and necessary safety
Number is sent to object storage device OSD;After object storage device OSD receives request, the certificate of user is checked, confirmation is used
The identity at family is determined according to grant column list to make authorization to user.If receiving and being data operation commands that client computer is sent
Return to the data of user's request;If what is received is the pre-authorization order that meta data server is sent, to the pre-granted being locally stored
It weighs list and carries out corresponding operation.
In conjunction with the data flow in Fig. 2, the above method is specifically described.
1. user requests certificate to certificate server, data are stolen in order to prevent, and user can first assist with certificate server
Quotient's session key passes through session key encrypted certificate;After certificate server session key encrypted certificate, it is sent to user, is used
After family receives the certificate of encryption, it is decrypted with the cipher key pair certificate of negotiation.
2. after user decrypts certificate, request and certificate are packaged into command description symbol, while issuing 3 Metadata Services
Device, each meta data server can all respond the request of user, specific steps: the first step checks the certificate of user,
There is a user's revocation list on every meta data server, preservation is expired user or invalid user.Second
Step can carry out scope check to the request of user, error message is returned if going beyond one's commission if the certificate of user is effective.
Third step can parse the command if permission is legal, return to relevant metadata information according to command type.
User terminal will receive the response of 3 meta data servers transmission, but only to receive portion most fast by user, and in addition two
A discarding.The benefit done so ensure that performance to greatest extent, while meta data server end can all handle user's request,
So the data on 3 meta data servers are consistent always.
3. after user has obtained the metadata of meta data server transmission, request data, object storage can be stored to object
Equipment can verify user after receiving request, and user can be sent the data to after.
4. the user certificate list of maintenance can be sent to meta data server by certificate server, verifying foundation is provided;
5. permission operational order, then meta data server can be according to preservation when the request not instead of request of data of user
Global access control list make authorization decision, send result to object storage device.Equipment is stored then to the power of preservation
Limit list is modified accordingly.
In addition, as shown in Figure 3-4, in technical solution proposed by the present invention, also opening stream to the meta data server
Amount monitoring, periodically compares the flow of each meta data server in period T, if monitoring any one metadata clothes
Be engaged in device data volume than other meta data servers data volume more than when, then judge the meta data server in leak data, that
The meta data server is closed, and carries out system safety inspection, the environment of the meta data server is reconfigured, then restores
Data starting.
In this process, monitoring module can write down the data volume of each meta data server outflow, so as to the stage of progress
The comparison of property, discovers whether abnormal meta data server.
Data volume is sent than other that servers more than two if having found by the flow monitoring of tcpdump,
It will then be turned off, be cleared up immediately, reduction server to pure state.
When a machine because needing to restart again, it would be desirable to by data after failure or leak data are closed
Restored, needs to guarantee that the data of three meta data servers are the same.In an arrangement, it is taken in the metadata of failure
When device recovery data of being engaged in, server can work on, but failed machines are being closed between reworking
User's request is recorded, and is re-operated one time;In another scheme, when the meta data server of failure restores data
It waits, server can work on, but failed machines are recorded in the user's request closed between reworking,
The order for reading data can filter out, and request is classified with filename, delete command is handled at first, if finally there is deletion
Order does not just have to the order before operation, directly execution delete command, followed by write order and modification order.
The present invention data access critical path carry out redundancy, can tolerate meta data server continuously go bad two without
Function is influenced, there is very strong reliability;The present invention uses the scheme of multisystem isomery to the component on crucial path, increases
The diversity of system greatly reduces because the attack of a certain particular system leads to the completely obsolete risk of system, has very strong
Defense function;The present invention by increase a flow monitoring module, can by compare 3 meta data servers flow, from
And meta data server under attack can be found, and then close this meta data server, therefore have certain killing function.
Therefore, the present invention has very high reliability and safety.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to
The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should all include
Within protection scope of the present invention.
Claims (8)
1. a kind of security protection access method for realizing object storage, which is characterized in that the described method includes:
(1) client obtains access certificate from certificate server;
(2) access certificate and access request that client will acquire are sent at least three meta data servers together;
(3) it after the validity of meta data server inspection access certificate and access request, is handled according to access request type:
If access request is request of data, relevant metadata information is returned to client, executes step (5)-(6);If access is asked
It asks and Authorization result is sent to object storage then after meta data server makes authorization decision for the request of permission operational order
Equipment executes step (4), while returning to relevant metadata information to client, executes step (5)-(6);
(4) object storage device modifies to the permissions list locally saved;
(5) client receives the metadata information reached at first, other meta data servers abandoned for same request are sent
Metadata information;
(6) after client receives metadata information, to object storage device request data, object storage device receives meeting after request
Client is verified, client can be sent the data to after;
While executing step (1)~(6), the meta data server turn-on flow rate is detected, periodically to each member in period T
The flow of data server compares, if monitoring that the data volume of any one meta data server takes than other metadata
When the data volume of business device is more, then judge that the meta data server in leak data, then closing the meta data server, and carries out
System safety inspection reconfigures the environment of the meta data server, then restores data starting.
2. the method according to claim 1, wherein the step (1) includes: firstly, client and certification clothes
Business device consult session key;After the session key encrypted certificate that certificate server is negotiated, it is sent to client, client association
Received encrypted certificate is decrypted in the session key of quotient.
3. the method according to claim 1, wherein the meta data server inspection accesses in step (3)
The validity of certificate and access request, specifically includes:
(3-1) checks client access certificate according to the user's revocation list locally saved, saves in user's revocation list
There are expired user or inactive users;
(3-2) carries out scope check if access certificate is effective, to client access request, if permission is legal, according to visit
Ask that request type is handled;Otherwise, then error message is returned.
4. the method according to claim 1, wherein the operating system of at least three meta data servers is not
Together.
5. a kind of security protection access system for realizing object storage, including an at least client Client, at least three members
Data server MDS, certificate server TA, at least an object storage device OSD, which is characterized in that
The client, for obtaining access certificate, and the access certificate and access request one that will acquire from certificate server
It rises and is sent at least three meta data servers;It is also used to receive the metadata information reached at first, abandons other metadata clothes
The metadata information that business device is sent, metadata information is to object storage device request data based on the received, and receives object and deposit
Store up the corresponding data that equipment returns;
The certificate server, for sending access certificate to client and meta data server being assisted to check access certificate;
The meta data server, after the validity for checking access certificate and access request, according to access request type into
Row processing: if access request is request of data, relevant metadata information is returned to client;If access request is permission behaviour
Make command request, then after meta data server makes authorization decision, Authorization result is sent to object storage device, is returned simultaneously
Relevant metadata information is returned to client;
The object storage device, the Authorization result sent for receiving the meta data server, and according to Authorization result pair
The permissions list locally saved is modified;It is also used to test client after receiving the request of data that client is sent
Card, is sent to client for corresponding data after being verified;
The system also includes monitoring modules, for monitoring to the meta data server turn-on flow rate, periodically in period T
The flow of each meta data server compares, if monitoring than other yuan number of data volume of any one meta data server
When more according to the data volume of server, then the meta data server is judged in leak data, then close the meta data server, and
Carry out system safety inspection, reconfigures the environment of the meta data server, then restores data starting.
6. system according to claim 5, which is characterized in that the client and the certificate server consulting session are close
Key;After the session key encrypted certificate that the certificate server is negotiated, it is sent to client, the meeting that the client is negotiated
The words received encrypted certificate of key pair is decrypted.
7. system according to claim 5, which is characterized in that the meta data server, for check access certificate and
The validity of access request, specifically includes:
The meta data server checks client access certificate, user's revocation according to the user's revocation list locally saved
Expired user or inactive users are preserved in list;
If access certificate is effective, to access request carry out scope check, if permission is legal, according to access request type into
Row processing;Otherwise, then error message is returned.
8. system according to claim 5, which is characterized in that the operating system of at least three meta data servers is not
Together.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510781188.2A CN105468295B (en) | 2015-11-14 | 2015-11-14 | A kind of security protection access method and system for realizing object storage |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510781188.2A CN105468295B (en) | 2015-11-14 | 2015-11-14 | A kind of security protection access method and system for realizing object storage |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105468295A CN105468295A (en) | 2016-04-06 |
CN105468295B true CN105468295B (en) | 2019-03-05 |
Family
ID=55606048
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510781188.2A Active CN105468295B (en) | 2015-11-14 | 2015-11-14 | A kind of security protection access method and system for realizing object storage |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105468295B (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10380100B2 (en) * | 2016-04-27 | 2019-08-13 | Western Digital Technologies, Inc. | Generalized verification scheme for safe metadata modification |
CN106250762A (en) * | 2016-07-18 | 2016-12-21 | 乐视控股(北京)有限公司 | For the method and system preventing storage object from illegally quoting |
US10320572B2 (en) * | 2016-08-04 | 2019-06-11 | Microsoft Technology Licensing, Llc | Scope-based certificate deployment |
CN106506668B (en) * | 2016-11-23 | 2019-07-16 | 浪潮云信息技术有限公司 | A method of object storage is realized based on distributed storage |
US10348764B2 (en) * | 2017-06-28 | 2019-07-09 | GM Global Technology Operations LLC | System and method for intercepting encrypted traffic and indicating network status |
CN109218425A (en) * | 2018-09-17 | 2019-01-15 | 苏州爱开客信息技术有限公司 | Distributed intelligence shutdown system |
CN112783822B (en) * | 2019-11-04 | 2023-11-03 | 上海云教信息技术有限公司 | Data harvesting method and device for decentralizing scientific data sharing platform |
CN111131441A (en) * | 2019-12-21 | 2020-05-08 | 西安天互通信有限公司 | Real-time file sharing system and method |
CN111245933A (en) * | 2020-01-10 | 2020-06-05 | 上海德拓信息技术股份有限公司 | Log-based object storage additional writing implementation method |
CN114117507B (en) * | 2020-08-28 | 2024-01-30 | 中国电信股份有限公司 | Object storage system, access control method and device thereof, and storage medium |
CN112910868A (en) * | 2021-01-21 | 2021-06-04 | 平安信托有限责任公司 | Enterprise network security management method and device, computer equipment and storage medium |
CN112947864B (en) * | 2021-03-29 | 2024-03-08 | 南方电网数字平台科技(广东)有限公司 | Metadata storage method, apparatus, device and storage medium |
CN115174602B (en) * | 2022-06-30 | 2023-04-18 | 浙江蓝景科技有限公司 | Data processing method and system applied to fishery management |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101605137A (en) * | 2009-07-10 | 2009-12-16 | 中国科学技术大学 | Safe distribution file system |
CN101997823A (en) * | 2009-08-17 | 2011-03-30 | 联想(北京)有限公司 | Distributed file system and data access method thereof |
CN104320401A (en) * | 2014-10-31 | 2015-01-28 | 北京思特奇信息技术股份有限公司 | Big data storage and access system and method based on distributed file system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103617308B (en) * | 2013-10-30 | 2016-06-08 | 河海大学 | A kind of construction method of wind power plant frequency domain equivalent model |
-
2015
- 2015-11-14 CN CN201510781188.2A patent/CN105468295B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101605137A (en) * | 2009-07-10 | 2009-12-16 | 中国科学技术大学 | Safe distribution file system |
CN101997823A (en) * | 2009-08-17 | 2011-03-30 | 联想(北京)有限公司 | Distributed file system and data access method thereof |
CN104320401A (en) * | 2014-10-31 | 2015-01-28 | 北京思特奇信息技术股份有限公司 | Big data storage and access system and method based on distributed file system |
Also Published As
Publication number | Publication date |
---|---|
CN105468295A (en) | 2016-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105468295B (en) | A kind of security protection access method and system for realizing object storage | |
CN106060796B (en) | The backup destroying method and device of terminal | |
CN101764819B (en) | For detecting the method and system of man-in-the-browser attacks | |
KR101431333B1 (en) | System and method of data federation module for sociality storage service on cloud computing | |
CN110489996B (en) | Database data security management method and system | |
US9594922B1 (en) | Non-persistent shared authentication tokens in a cluster of nodes | |
CN105511805A (en) | Data processing method and device for cluster file system | |
JP2008537203A (en) | Disaster recovery framework | |
US8719923B1 (en) | Method and system for managing security operations of a storage server using an authenticated storage module | |
US20040111391A1 (en) | Command processing system by a management agent | |
CN105430016A (en) | Network access authentication method and system | |
US20120331538A1 (en) | Method and communication device for accessing to devices in security | |
CN105553783A (en) | Automated testing method for switching of configuration two-computer resources | |
CN104219080A (en) | Method for recording logs of error pages of websites | |
CN112769932A (en) | Distributed cloud storage system based on block chain and data separation | |
CN103297441A (en) | Access control method and device | |
CN109889518A (en) | A kind of encryption storage method | |
CN109815725B (en) | System and method for realizing data safety processing | |
CN111371588A (en) | SDN edge computing network system based on block chain encryption, encryption method and medium | |
CN113961892A (en) | Account security control method and system, readable storage medium and computer equipment | |
US20140007197A1 (en) | Delegation within a computing environment | |
CN101408955A (en) | Method and system determining obligation base on tactic | |
CN111488597B (en) | Safety audit system suitable for cross-network safety area | |
CN107172078B (en) | Security management and control method and system of core framework platform based on application service | |
CN113765672A (en) | Medical attribute token access control method, system, storage medium and electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |